Revealed: Malware that skulks in memory, invisibly collecting sysadmins' passwords Cybercriminals have hit scores of enterprises in 40 countries using hidden malware. Banks, telecommunication companies and government organisations in the US, South America, Europe and Africa have already been hit by the ongoing (and stealthy) attacks. Kaspersky Lab experts report that the attacks harness widely available …
Meterpreter has existed for a very long time now, and is well known for being memory resident, which is why you can bypass 'traditional' AV which ususally looks at binaries on disk access. Wrap your meterpreter payload in msfvenom or veil-evasion and voila - you have an AV bypass. Invoking mimikatz with powershell to dump the credentials is also a common pentester habit - but again, hardly new.
"The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible – or even whether it is a single group or several groups sharing the same tools"
Do you have a link to the license for this 'open source exploit code'. How exactly does Meterpreter initally infect the target Windows computer?
So the person infecting the system has to have access to the system to execute the code... or are they sending the code in via infected e-mail (suchg as a binary) or drive-by from a web page (such as a javascript exploit?).
I'd guess it's someone getting into the system and executing the code from their computer, or they remove the executionable once the code is in memory, so the problem is still with the initial intrusion. Doesn't make it any better, of cause, but understanding the process is important in developing a counter - and to be honest, what AV / Malware protection doesn't periodically scan the memory anyway? Or is it simply that the scripts don't show as malicious so go unreported?
Would be interesting to see what emerges from the investigation - if anything.
Ask yourself if any of your devices, beit an addon graphics card, HD, bios/uefi, can have its firmware updated?
If it can, then ask yourself if the typical default option in UEFI to allow virtualisation would make it possible to run virtual malware loaded via a shim in the UEFI, before the main OS.
I suspect Kasperksy may not have found the treasure chest, just a gold coin.
Even the NSA's TENS can update your bios/uefi and other malware if its connect to the net.
So you think by setting a user and/or admin password for your bios/uefi means your system is secure?
Once that password has been put in, can you update your bios/uefi from the OS?
Do device manufacturers and rebranders provide any software to validate their firmware?
Can you update the firmware of your addon graphics cards without having to short some jumper pins?
Can you update the firmware of your hard disk like a Samsung Evo SSD without having to short some jumper pins?
http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/
Sometimes your only clue you have been hacked is to watch the network lights and the hard disk lights when your machine boots up.
EG. If you switch on your PC and before it displays the bios/UEFI screen, you see a flurry of disk light activity, chances are your Bios/UEFI has a shim inserted, a simple couple lines of assembler, which directs your Bios/UEFI to another address which might be on your hard drive, or in your graphics card.
As these firmware chips always have space for future updates, its never detected. Has anyone checked the source code of their favourite Pen Testing distro and know what its doing?
So many people trust what they buy or download, they offload their responsibilities.
Who knows that BT & TalkTalk stream their TV & Film services over IPv6?
Simple test if you have one of these services, watch something online and then download something massive like a Linux distro from your computer over IPv4. Your IPv4 download will come down at max speed, provided your firewall allows IPv6.
Spot the anomalies and you cant spot the spooks, but they also play their games over decades, as it starts with your school reports and medical records, if not your parents or relatives if they weren't socially compliant and docile!
Tarred with the same brush springs to mind, in the name of Defence.
Who said Signal Intelligence was just hacking computers? Everybody is known to the spooks, its just they cant predict when someone loses it. Lets face it, most people cant even predict when they will lose it, so is it any surprise that the US is building a wall, and clamping down on illegals? Peoples education and upbringing can create cognitive dissonance which usually generates a lot of anger. Some Middle Eastern countries are not up to speed with the way the Western society works, as we see in German with young girls being groped in swimming pools as one example.
Resource Burn, its a valid technique when hacking, and lets face it, I know of no pen tester or AV coder who knows all the code in the software they rely on, hell none of you even know the code in your firmware.
Is it any wonder, millions of systems around the world are already pwned?
The important question everyone should be asking is, is it right that the Govt spies on you, using a variety of centralised databases and other methods from the day you are born though?
They are killing off the intelligent one's who can spot these things, which makes them no better than the terrorists, pedo's, rapists, drug dealers, killers or any other human action which has been made a crime because no one has a say over the laws you are born unto!
"Looks like someone's not checking what's running on their critical servers very often."
Or maybe they are checking and don't know how to distinguish between legit code and malware.
Or maybe the malware has hidden itself, given sufficiently privileged access.
Quite a few possibilities.
What's obviously not possible is people (including those at AV companies) looking at running critical parts of the business on an OS that has a bit more solidity than a sieve. Not possible this year anyway. And given the DerbyCon reference was 2013, and Stuxnet was 2010, [and ...], maybe some people don't *want* to think about it. Ever.
Have a lot of fun.
Infecting one PC with memory resident malware would allow it to infect other PCs using any random remote exploit combined with an escalation of privileges once aboard the new target.
Then even rebooting won't fix anything, you'll be reinfected by one of the other infected PCs. Even after a patch Tuesday update everything will eventually be reinfected, since not every PC will be rebooted at the same time. Even if the hole being used is patched, or an AV software vendor developed detection for it, the malware could download updates to continue operation (masquerading as what looks like normal web queries to mask the activity)
It written well enough and properly maintained, it could essentially be immortal. What are you going to do, get everyone in the company to shut down every PC all at once? Yeah right!
There are so many goofy services running by default under Windows that it makes it quite difficult to spot things that shouldn't be there. I ran into a machine the other week that was running out of memory because WinHttpAutoProxySvc has a memory leak. That's a service that runs by default and that automatically searches for proxies to connect to. Why in the name of dog would such a thing be running by default?
That's just considering the stuff that comes with the OS. Once other software gets installed you can be guaranteed to find WhoKnowsWhatThisCouldPossiblyDo.exe running through svchost.exe. You search the tubes for it find "That was installed by Adobe, nobody knows what it does."
I'm seeing the same thing creeping into Linux systems too. It wasn't that long ago that "ps aux" on a server would give a fairly short list of processes, each of which were well known.
I can't help noticing that most scary stories (TM) like this one follow the same template....
Web and Network Security Expert (insert name here) warns of very scary exploit (insert exploit name here) that might make you sufficiently scared that you might want to consider.....
a) Purchasing Web and Network Security Expert (insert name here)'s latest exploit defence software (insert product name here)
b) Procuring the services of Web and Network Security Expert (insert name here) to give your setup an overhaul/assessment.
c) Attending Web and Network Security Expert (insert name here)'s next seminar where you can hear more scary stories(TM) and get the low down on how great their software/services/seminars really are.
Or better still, all three!!
John,
It's ridiculously selfish, not to mention stealing... when you don't provide direct references to the original blog/article etc. you are paraphrasing or copying. Especially, when you provide only 20% of the original article, which can be found at Kaspersky's Securelist blog here:
https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
..effing thieves.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
